Facebook and Dropbox Apps Have Major Security Hole

Posted April 6, 2012 at 2:56pm by iClarified | Please help us and submit a translation by clicking here | 14430 views

A security hole in the Facebook and Dropbox apps makes it possible for someone to obtain access to your account, reports Gareth Wright and TNW. The applications are storing your authentication key and secret in plain text making it easy for someone with access to your device to copy the authentication information.

Popping into the Facebook application directory I quickly discovered a whole bunch of cached images and the com.Facebook.plist. What was contained within was shocking. Not an access token but full oAuth key and secret in plain text. Surely though, these are encrypted or salted with the device ID. Worryingly the expiry in the plist is set to 1 Jan 4001!

Quick export and call to my good friend and local blogger Scoopz and I sent over my plist for him to try out. After backing up his own plist and logging out of Facebook he copied mine over to his device and opened the Facebook app

My jaw dropped as over the next few minutes I watched posts appear on my wall, private messages sent, webpages liked and applications added. Scoopz then opened Draw Something on his iPad which logged him straight into my account where he sent some pictures back to my friends.

After being contacted by TNW about the security hole, Facebook tried to blame it on jailbreaking.

Facebook's iOS and Android applications are only intended for use with the manufacture provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device. We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device. As Apple states, "unauthorized modification of iOS could allow hackers to steal personal information or introduce malware or viruses." To protect themselves we recommend all users abstain from modifying their mobile OS to prevent any application instability or security issues.

Their statement that attempts to pass the buck to jailbreaking is completely untrue as TNW was able to verify. "Using a tool like iExplore, which is what Wright used to perform his white label hack, does not require a jailbreak."

The site also managed to find the same plist vulnerability in the Dropbox app. Currently the only way to protect yourself from this exploit is to make sure no one else has access to your device. This means staying away from public terminals where a script could be used to capture the plists from your device.